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GTVHacker: The Team 





+ GTVHacker is a group of 6 hackers with 
individual skill sets who work together to 
unlock Google TV devices. 


* Our primary goal is to bypass hardware and 
software restrictions to allow for unsigned 
kernels to be loaded and used. 


* To date the team has released multiple 
methods for unlocking Google TV devices. 





+ GTVHacker team won $500 bounty for 
being the first to root the Google TV. 
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Team Members 





The GTVHacker team officially consists of 6 members: 


e AgentHH — First human outfitted with metal legs. 

e cj 000 - Destroyer of words 

* Gynophage — German rockstar reverse engineer 

e [mbm] - known for founding the Open-WRT project and tossing 
251 children down a well 

e Tdweng — software developer turned super hero. 


* Zenofex — HH [HH E MM E NS E EM mM 


With special guest: 

e Bliss - a vulnerability researcher who takes sick pleasure in 
exploiting anything with a CPU. He once punched an Android in 
the face. 
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Google TV: What is it? 





Google TV 


TV MEETS WEB. WEB MEETS TV. 


= Google TV is a platform that bridges the gap between your TV and an Android device. 


= Platform creates an overlay on television stream and also contains an IR transmitter to 
transmit to media center devices (cable box, TV, sound system). 


= Device was originally released without the Android Market available but was eventually 
updated to include it. 


= Platform receives Over-the-Air updates automatically from OEM manufacturer. 
= Platform contains forked version of Chrome with all plug-ins and extensions other than 
Flash disabled. 
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Android vs. Google TV 





Although Google TV runs Android there are differences: 


= The device has a Chrome browser out of the box which provides a 
fairly reliable and safe browsing experience 


= The Gen 1 Google TV platform is currently the only x86 set of Android 
devices. 


= Although the platform does have the Android market, the amount of 
actual applications available is far below that of the actual market. 


= Due to the fact that some Android applications include native code, 
some applications are not able to run on the x86 chip-set. 


= Unlike most Android devices, GTV devices are USB hosts requiring 
ADB to be used over the network and ADB is restricted to one white- 
listed IP. 
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Most commonly deployed boxes are x86 
Newest Google TV Devices are ARM based 
Devices by Sony, LG and Vizio (Availability is still limited) 


More on the ARM devices a bit later! 
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GTV vs Content Providers 





* From the initial release of the platform, the Google TV has been in 
a constant battle with the content providers. 


e Content providers believed giving Google access to television 
programming advertising streams would strengthen Google's 
position in web advertising, as well as convince users to drop 
services like cable. 


e Websites enforced checks by verifying the browser User-Agent as 
well as the Flash version string. 
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* There are no other mainstream 
Android x86 devices. 


e Architecture differences makes 
for a crippled marketplace. 


* Code compiled for device can 
usually be compiled without the 
need for compiler toolchain. 
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* Current generation of Google TV devices use an Intel CE41xx CPU. 
* 45nm Atom core 1.2 Ghz with System-on-Chip (SoC). 
e “On-die” security processor to handle DRM. 


e Revue — CE4100 
e Sony TV / Blu-Ray — CE4150 
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Bootloader (Gen MD) 





a 


The bootloader for the CE41xx devices is known as the “Intel CEFDK” 
(Consumer Electronics Firmware Development kit). 


Bootloader is signed and signature is verified by security processor, 
beginning “chain of trust”. 


Intel supplies a stage 1 and stage 2 boot-loader in the SDK. 
Logitech uses both stages of CEFDK in its device. 


Sony uses Intel's stage 1 and it's own proprietary “NBL” for stage 2. 
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“Chain Of Trust” 


GTV platform utilizes a “Chain of Trust” boot 
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1) SoC decrypts and verifies signature of stage 1 CEFDK 
2) Stage 1 CEFDK boots, checks signature, and decrypts Stage 2 


3) Stage 2 boots and checks signature on Kernel 


4) Kernel takes over 
5) (Sony) Kernel SHA1 hashchecks init 


6) (Sony) Init RSA verifies init.rc / init.(eagle/asura).rc 


if GTVHacker 
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Kernel Security 





Kernel requires modules to be properly signed before being inserted. 
All partitions except /data & /cache are marked as RO by the kernel. 
ADB shell only allows RW access to folders with “shell” permissions. 
Functions like ptrace are left out of the kernel. 

Access /dev/mem is restricted. 


Kernel is patched from all known public Android vulnerabilities. 
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Google TV 
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* Released October 2010 


* Full sized keyboard with built in 
touchpad 


e Originally priced at $249 later 
reduced to $199 and finally $99 





* Discontinued but still favoured by a 
majority of GTV users 
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Recovery mode is an “Android 2e recovery’ which is standard on many Android devices. 


* Reboot 

* Apply Update from USB (update.zip) 
* Wipe data/factory reset 

* Wipe cache partition 


All update files provided are RSA verified before the box attempts installation. 
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e First root on the 
Google TV Platform. 


Required a virgin 
Revue. 


Still works on newly 
purchased Revues. 


Soldering to four pads 
on the Revue and 
booting into recovery 
mode. 


Method allowed for 
Read/Write access to 
File System. 


DEFCON 
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* Created a manual update 
process that mirrored 
Google's but did not perform 
any of the signature checks. 


* Continued to release 
modified updates which 
included an ADB running as 
root as well as our first 
attempt at a content provider 
bypass. 
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First “Content Provider Bypass” 





Bypassing Hulu/CBS/NBC/ABC's browser/flash checks was relatively easy 
and could be done quickly with a hex editor and RW /system access. All 
that was required was a simple change from: 

00969F5269 GE 3h 06 es in: | 

00969F63 HE 00 50 GC 75 67 49 GE 06 35 2E 31 00 25 32 FM. PlugIn.5.1.42 


To: 
4006075269 OE 34 68 Tin: 
po969F63 RE 00 50 6C 75 67 49 GE 00 35 2E 31 00 25 32 MM Plugin.5.1.42 
Changing one letter in the flash version string as well as changing 
the browser user agent (which can be done directly from the box in 


Chrome's settings) will allow a user to watch normally restricted 
content. 
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Honeycomb Suprises: 


Message from Lo 


08 00 08 
6b 65 72 
76 62 61 
71 76 61 
66 72 20 63 62 66 67 20 
61 20 6c 62 68 65 20 73 
79 72 67 20 7a 72 20 78 
67 65 6e 74 48 48 00 5a 
6a 5f 30 30 30 00 63 72 
00 5b 6d 62 6d 5d 08 72 
65 be 67 00 74 61 74 75 


13 20 70 62 61 
66 20 76 73 20 


08 00 00 eð 41 


74 20 67 75 76 


20 40 67 74 76 68 61 63 
74 65 6e 67 68 79 6e 67 
bc 62 68 65 20 65 72 be 
66 20 00 00 63 79 72 be 
be 20 61 62 67 72 20 62 
62 65 68 7a 20 67 62 28 
61 62 6a 20 3b 29 00 41 
65 6e 6f 66 65 78 00 63 
61 69 67 64 72 6f 69 64 
65 73 6e 6f 00 74 64 77 
be 67 34 00 63 63 64 74 


qitech? 
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* Logitech removed the recovery menu and replaced it with a message to 
the GTVHacker team. 

* Removed functionality to install manual updates therefore removing a 
user's ability to recover other than via the automatic process of 
erasing /cache and /data. 

* The message was encoded in a ROT13 cypher. 

* Each of the current GT VHacker team members' names were listed as 


no longer functioning recovery menu items. 
Mi, http://gtvhacker.com/pres/dc20.ppt 
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Honeycomb Suprises: 
Message from Logitech? 





“A @gtvhackers congratulations if your reading this please post 
a note on your forum to let me know ;)” 
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Flash Sabotage: Revue 





Getting a secret message from Logitech was awesome. 
Having them remove the recovery menu functionality was not. 


So we needed a way to play with the update functionality of the box... 


The OTA updater writes to /cache/recovery/command, which uses the 
following syntax: 


--update_package=CACHE:/somefile.zip 


Now if only we had a way to write to cache... 


Ti G TVH ac ke r http://gtvhacker.com/pres/dc20.ppt D E F C O N 





| e BB ga ei E í * [cache and /chrome are EXT3 
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TN 


* Luckily, that flash is 
connected to the Revue via a 
USB Controller. 


e It's a flash drive! 


e We can tap the data lines and 
stick our own flash drive in line. 
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Revue Kernel Exploit 


Revue root kernel exploit 


To be added 
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Revue Module Signing Exploit 





Revue RSA kernel module signing bypass 


To be added 
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Blu-Ray Player (NSZ-GT1) Television 24” - 46º (NSX-#GT 1) 


GTV hardware is nearly identical, other than the obvious differences. 
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Bulkier than the 
Revue. 


Built like a Sony. 


* Populated debug 
pads! 


e Contains a faster 
processor — CE4150 
@ —-1.7GHz. 
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Internal SSD via SATA 


GBDriver RS2 AES encrypts 
all data on NAND flash. 


ATA Password 


Sony stored all data on SSD, 
except bootloader and kernel. 


Risky procedure. Small 
points. 


Able to “redirect” SATA bus to 
our own device, which we had 
RW access to externally. 


Used this to downgrade to old 
SW versions, to look for flaws. 


DEFCON 


Far more interesting 
than that of the Revue. 


Like the Revue, has a 
similar “Update from 
USB” feature. 


Nearly entire backend is 
done through a series of 
scripts. Not standard 
Android, so no debug 
log is left behind. 
Though not impossible 
thanks to the UART. 


* Sony updates are RC4 
encrypted. 
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Sony Google TV 


Command Execution Through Recovery 





Can you spot the problem here? 


Is /tmp/mnt/diskb1/package_list_*.zip | head -1 | grep "package list " 


/bin/sony/check_version.sh $1 
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Command Execution Through Recovery 


The exploit was simple, a package with a command: 
package list ;cd tmp; cd mnt; cd diskb1; sh t.sh; .zip 
/package-updater.sh -l O -p /tmp/mnt/diskb1/package_list_;cd /tmp;cd /mnt;cd /diskb1;sh t.sh;.zip 


The command above involved a t.sh bash script (to meet filename size 
limitations) which spawned a shell over UART and telnetd. 


From there we proceeded to dump the recovery file system. 
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sony Google TV 


Command Execution Through Recovery 





Unfortunately this exploit was patched in the 7/2011 update. 


“It's not exactly what we'd call a easy jailbreak, seeing as how it requires a soldering iron, a NAND 
format procedure, and a Logitech Revue that's never even been powered on, but it looks like it is 
possible to root a Google TV box after all.” - engadget.com 


That was said about 4 large pads for the Revue. 


Needless to say, this was not a viable option for the public. 
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e Active UART line (output only) 


e After initial hack - achieved 
root console in Linux. 


* Memory dump shows 
existence of “NBL” - an extra 
step after Intel's initial 
bootloader. 


e Mashing escape over UART at 
start-up brings us to a 
“Password:” 





e Password found after > 
reversing NBL areas of memory: “= 





console ON 
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sony Google TV 


UART / Bootloader 





e NBL options included loading files into memory, and executing 
from internal flash or network via TFTP. 


e Insecure booting features were disabled on production units. 


e NBL Utilized signature and hash checks similar to the normal 
start-up mode. 


Remember that exploitable recovery version? 
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sony Google TV 
UART / Bootloader 





Successful patch applied! 

BEC FW: SEC ready 

SEC FW: firmware module sent to SEC for authentication and load 
Buccessful firmware download! 

BEC FW: firmware version valid: 2.1.0.6. 


erify stage2 PASS 

Intel(R) Consumer Electronics Firmware Development Kit (Intel(R) CEFDK) 
opyright (C) 1999-2010 Intel Corporation. All rights reserved. 

Build Time (06/11/10 16:00:37). 

oading 8051 MicroCode at 0x80000 

BATA O: BTVSSDO1 - 8G 

BATA 1: SONYBDP-410 - 0G 


Password: 
BL BTV-EC 5.7.1 (base: 5.0-BTV 20100707) <built 11:14:57, 07/30/10 JST> 
achine: EAGLE (1386/sodaville/btv) 
RAM: 0x00100000-0x02000000 available 
da: BTVSSDO1 
(C/H/S = 30720/16/32, Total 15728640 sectors) 
BL> boot -f net:tftp:/vmlinux recovery.trf -c "root=/dev/ram0 console=ttyS0,115200 mem=exactmap memmap=1M$0 memmap=199M@1M" -initrd net:tftp:/initrd.trf 
L8254x: Ethernet address: 54:42:49:d4:66:d2 
L8254x: Link is up, 100Mbps Full Duplex 
Hev_net.c:net_getparams: enable bootp because IP==0 
bootp: 'myip' is 192.168.1.121 
'serverip' is 192.168.1.148 
bootp: mask: 255.255.255.0 
: Client addr: 192.168.1.121 
: subnet mask: 255.255.255.0 
: net gateway: 192.168.1.2 
: root addr: 192.168.1.148 
: server addr: 192.168.1.148 
: server path: / 
et_open: file name: vmlinux_recovery.trf 
RF file is loaded : start = 0x00100000, length = 0x00396086 
L8254x: Ethernet address: 54:42:49:d4:66:d2 
i8254x: Link is up, 100Mbps Full Duplex 
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sony Google TV 





UART / Bootloader 


Booting via TFTP allowed us to set kernel args. 


boot -f net:tftp:/vmlinux_recovery.trf -c "root=/dev/ram0 console=ttySO, 115200" 
-initrd net:tftp:/initrd.trf 


Booting via TFTP however kept the internal SSD ATA locked. 


The good news was that when that recovery booted to a locked 
ATA, the box dropped us into a console! 
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UART / Bootloader 


Exploitable Recovery: 

e System boot binaries stored on flash at /dev/Glob_Spectraa2 

e ATA was locked, flash was not! Drivers just needed to be loaded. 

e Replaced new recovery on flash with the old, exploitable version. 

e Now we had an exploitable recovery! 

e Wait for the rumored 3.2 release in late September to release exploit 


e Google and Sony were slow — it was December. 
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sony Google TV 


Downgrade via USB (nodev) 





e Come the 3.2 release in December, we did not want to let on 
about the bootloader password being found. So, two weeks of 
intense bug finding was started. 


e We found a few bugs, but not what we needed for privileged code 
execution 


e However, we got to really, really know the update process... 
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Recovery mounts USB to 
/tmp/mnt/diskb1 

Looks for package list *.zip 
Passes this to 
package_updater.sh 
package_updater.sh then copies 


Do you really want to update the system ? 
1: Yes o: No 9: Update and Factory Data Reset 


current = DMA-1_EAGLE_2012012601_WWV_ORSC (MASTER) 
new = gtvhacker GTVHacker Downgrade ) the file to /cache 


package_updater then unzips 
build.prop, and displays to the 


Keypad not paired. Press and hold (CONNECT) on the body for 3 sec. user 





If the update is accepted, it's copied again to /cache 


I'm sure they checked to see if there was a destination file... 
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Sony Google TV 





Downgrade via USB (nodev) 


The Sony recovery mounted ext2/3 partitions with no mount parameters 
meaning a block device on the USB could allow us to write to a device 
node as root. 








USB1 
contains update file which fools > 
the updater to think a properly 
formatted update is on the drive. 


Recovery confirms that an 
update is inserted and asks the 
user if they'd like to continue. 














USB2 oe Recovery moves the FS node to 
contains update file which is a file. /oache/package_list_*.zip and then 


Gene aes errors leaving the file in place. 


USB1 


, ; Recovery confirms that an 
Vitel clei Won list ans LES a_j Update is inserted and asks the 
node is in place, we restart update 


ser if they'd like to continue. 
and perform part 2 of attack. kia y i 


























USB3 ; The recovery version is now 
contains update file which contains downgraded to the LCE exploitable 
files to overwrite .trfs on Ss 


version. 
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/dev/Glob_Spectraa2 
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Downgrade via USB (nodev) 





Assuming the downgrade went 
correctly, use LCE recovery 
exploit. 


Exploit: 
e Re-partitions internal SSD 


e Copies /boot to a new partition. 


e Edits initial /boot to include 
kexec files. 


e Hijacks initial boot process to 
call kexec. 


GTVHacker 
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mkfs.ext3 /dev/sda6 > /dev/null 
mkfs.ext3 /dev/sda7 > /dev/null 
mkfs.ext3 /dev/sdas > /dev/null 
sleep 5 

echo "mkfs done" 


/tmp/busybox mkdir /tmp/mnt/sdai 
/tmp/busybox mkdir /tmp/mnt/sdas 
/tmp/busybox mkdir /tmp/mnt/sda6 
/tmp/busybox mkdir /tmp/mnt/sda7 
/tmp/busybox mkdir /tmp/mnt/sdas 
/tmp/busybox mkdir /tmp/mnt/spectra2 


/tmp/busybox mount -text3 /dev/sdai /tmp/mnt/sdai 
/tmp/busybox mount -text3 /dev/sdaS /tmp/mnt/sdaS 
/tmp/busybox mount -text3 /dev/sda6 /tmp/mnt/sda6 
/tmp/busybox mount -text3 /dev/sda7 /tmp/mnt/sda7 
/tmp/busybox mount -text3 /dev/sda8 /tmp/mnt/sdas 
/tmp/busybox mount -tvfat /dev/Glob_Spectraa2 /tmp/mnt/spectra2 


echo "Devices Mounted: " 
cat /proc/mounts 


#copy initial system to new area, we don't need a reboot loop 
/tmp/busybox cp /tmp/mnt/sdai/sbin/e2fsck-bak /tmp/mnt/sdai/sbin/e2|fsck 
/tmp/busybox cp -R /tmp/mnt/sdai/* /tmp/mnt/sdas/ 


#copy our rebooter stuff (kexec, new kernel etc) to sdas 
/tmp/busybox cp -R /tmp/mnt/diskbi/copy/reboot/ /tmp/mnt/sdas/ 


#Yeah, we need a lot of busybox would help to install it, but oh well - next version! 
/tmp/busybox cp /tmp/mnt/diskb1/copy/busybox /tmp/mnt/sda8/bin/busybox 


/tmp/busybox cp /tmp/mnt/diskb1/copy/busybox /tmp/mnt/sdai/bin/busybox 


#/tmp/busybox cp /tmp/mnt/diskb1/copy/su /tmp/mnt/sda8/bin/su 
#/tmp/busybox chmod 4755 /tmp/mnt/sda8/bin/su 


# Allthepermissions.png 
/tmp/busybox chmod 777 /tmp/mnt/sda8/bin/busybox 


/tmp/busybox cp /tmp/mnt/sdai/sbin/e2fsck /tmp/mnt/sdai/sbin/e2fsck-bak 
/tmp/busybox rm -rf /tmp/mnt/sdai/sbin/e2fsck 
/tmp/busybox cp /tmp/mnt/diskbi/copy/e2fsck /tmp/mnt/sdai/sbin/e2fsck 


/tmp/busybox rm -rf /tmp/mnt/sda8/default.prop 
/tmp/busybox cp /tmp/mnt/diskb1/copy/default.prop /tmp/mnt/sdas/ 


/tmp/busybox rm -rf /tmp/mnt/sda8/init.asura.rc 
/tmp/busybox cp /tmp/mnt/diskbi/copy/init.asura.re /tmp/mnt/sda8/ 


/tmp/busybox rm -rf /tmp/mnt/sda8/init.rc 
/tmp/busybox cp /tmp/mnt/diskbi/copy/init.rc /tmp/mnt/sdas/ 


/tmp/busybox rm -rf /tmp/mnt/sda8/init 
/tmp/busybox cp /tmp/mnt/diskbi/copy/init /tmp/mnt/sdas/ 


/tmp/busybox rm -rf /tmp/mnt/sda5/build.prop 
/tmp/busybox cp /tmp/mnt/diskbi/copy/build.prop /tmp/mnt/sda5/ 


/tmp/busybox mv /tmp/mnt/sda5/etc/security/otacerts.zip /tmp/mnt/sda5/etc/security/otacerts-bad.bad 


/tmp/busybox rm -rf /tmp/mnt/spectra2/vmlinux.trf 
/tmp/busybox cp /tmp/mnt/diskb1/copy/vmlinux.trf /tmp/mnt/spectra2/ 


/tmp/busybox rm -rf /tmp/mnt/spectraZ/sony logo 480.bmp.gz 
/tmp/busybox cp /tmp/mnt/diskb1i/copy/sony_logo_480.bmp.gz /tmp/mnt/spectra2/ 
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“Flash Player - mutate the ID String 
cp /tmp/mnt/diskbi/copy/mutate /tmp/mutate 


sony Google TV 





Unsigned Kernels 


“kexec (kernel execution) is a mechanism of the Linux kernel that 
allows "live" booting of a new kernel "over" the currently running 
kernel. “ ~ Wikipedia 


e Kexec is normally built into the kernel, so we opted to build it as a 
kernel module. 


e Kexec allows us to boot the system, have it kick over after in less 
than 1 second, and load our unsigned kernel. 


But what about that init hash, and those RSA signatures? 
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sony Google TV 


Unsigned Kernels 





e Chain of Trust needed to be broken 


e kexec had to to be called before the platform's security firmware 
was loaded. 


e Where do we attack? 
e /bin/e2fsck 


e / is mounted from sda1, on the SSD, that we can now write to 
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Unsigned Kernels 


/bin/e2fsck was replaced with a script which: 


e Mounted /system 
e insmod our kexec modules 
e kexec to load our new kernel 


Our new kernel, apart from featuring no hash on init, had a few 
other tweaks: 


no initd hash 

no signed init.rc 

no signed init.(eagle/asura).rc 
modified init.rc 

modified init.(eagle/asura).rc 
modified default.prop 

* ro.secure=0 

e ro.debuggable=" 


<q GTVHacker 
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Sony Google TV 


Content Provider Bypass 





But wait — there's more! 


Our update script pulled Chrome's Flash player and 
mutated the Flash plug-in string randomly per each install. 


Since each box has a unique ID, content providers will have a 
harder time blocking streaming content for Google TV users. 
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“Future” /ARM Devices 





In the last few months we've seen a release of the second 
generation of Google TV devices, all of which are ARM: 


Sony NSZ-GS/7 — Network Streamer 
Sony NSZ-GP9 — Blu-Ray Player *unreleased* 


Vizio VAP430 (CoStar) — Network Streamer *unreleased* 
Vizio VBR430 — Blu-Ray Player *unreleased* 
Vizio R3D*OVS (42/47/55/65) — Google TV *unreleased* 


LG 47/55G2 (LMG620) — Google TV 
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e The Sony ARM devices feature a Marvell 88DE3100 SoC, which 
has a 1.2GHZ Dual Core Processor. 


e The Blu-Ray variant should be close to identical specs wise, but 
with a Blu-ray drive, and a BD playback app. 


e Sony has yet to branch off into TV integration, as they may have 
jumped the gun the first time around. 
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e The Vizio ARM devices, like 
the Sony's feature a Marvell 
88DE3100 SoC, which has a 
1.2GHZ Dual-Core processor. 


e Again, the Blu-Ray variant 
should be close to identical 
specs wise, but with a Blu-ray 
drive, and a BD playback app. 


e Multiple devices, a streamer, 
BD player, and integrated TV. 





e Hey, you — guy on stage. Is the 
streamer out yet? 


DEFCON 
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e LG Google TV's are a bit 
more mysterious. 


e 47” & 55” (G2 / LMG620) 


e Mostly, there have been 


f- Ec Google TV | few purchases, and at 
= Cc a 
| $1200 each, a bit out of 


our price ranges! 


| | - Dual Core ??? MHZ 
OO = processor 





e Anyone care to donate 
one? 
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GTVHacker Timeline 





Date Event 
12/2010 Logitech UART found (and live) 
1/2011 Root package released (content bypass) 


7/2011 Sony (Blu-ray) unit acquired 

Sony unit rooted (SATA modification) 

Sony recovery command execution found 

Software root method found 

Sony update encryption keys found, reversed, decrypted 
8/2011 Revue 3.1 "Honeycomb" leaked 
9/2011 Sony 3.1 Released 

Sony TV acquired 

Sony TV rooted 
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GTVHacker Timeline 





Date 
10/2011 
11/2012 


12/2012 
1/2012 
1/2012 
3/2012 
4/2012 
9/2012 


Event (Continued) 
Sony bootloader shell found/downgrade achieved 


kexec ported as module to x86, unsigned kernels for 
Sony (saving for 3.2 rls) 


3.2 for Sony released 

Sony nodev recovery downgrade released 

Sony exploit package released (unsigned kernels) 

Revue signed module exploit achieved (needed root privileges) 
Logitech Revue kernel exploit (awaiting 3.2 release) 

Revue 3.2 Released 


6/30/2012 NSZ-GP7 Acquired 
6/30/2012 NSZ-GP7 Root Exploit 
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Newest Sony 
device 


Released this 
month 


Tear down 
posted at 
GTVHacker.com 


CN2000 looks 
familiar! 


GTVHACKE,? 
http://gtvhacker.com/pres/dc20.ppt 
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NSZ-GP/7 Root Demo 


= Noticed that last bit on the time line? Yeah. 


= We gained root access on 6/30, and proceeded 
to explore 


= Our goal is to get unsigned kernels running 
before a release, which may or may not be 
done already (you, with the microphone?) 
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NSZ-GP/7 Root Demo 


Demo 
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Questions? 
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Thank you! 


More information can be found at: 
http://www.GTVHacker.com/ 
http:/forum.GTVHacker.com/ 


http://blog.GTVHacker.com/ 
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